838c50a Fix libexpat buffer overflow: CVE-2015-1283 — HardenedBSD-pkg

rad:z3QDZAW2FAfuLvihrhiyDC9fAD8G9

HardenedBSD Package Manager

Fix libexpat buffer overflow: CVE-2015-1283

Baptiste Daroussin committed 10 years ago

commit 838c50ada6299d7e811f2e839de676aa320e75b3
parent abc80cd

1 file changed +21 -2

modified external/expat/lib/xmlparse.c

@@ -1678,6 +1678,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal)

 void * XMLCALL
 XML_GetBuffer(XML_Parser parser, int len)
 {
 /* BEGIN MOZILLA CHANGE (sanity check len) */
   if (len < 0) {
     errorCode = XML_ERROR_NO_MEMORY;
     return NULL;
   }
 /* END MOZILLA CHANGE */
   switch (ps_parsing) {
   case XML_SUSPENDED:
     errorCode = XML_ERROR_SUSPENDED;

@@ -1689,8 +1695,13 @@ XML_GetBuffer(XML_Parser parser, int len)

   }
   if (len > bufferLim - bufferEnd) {
     /* FIXME avoid integer overflow */
     int neededSize = len + (int)(bufferEnd - bufferPtr);
 /* BEGIN MOZILLA CHANGE (sanity check neededSize) */
     if (neededSize < 0) {
       errorCode = XML_ERROR_NO_MEMORY;
       return NULL;
     }
 /* END MOZILLA CHANGE */
 #ifdef XML_CONTEXT_BYTES
     int keep = (int)(bufferPtr - buffer);

@@ -1719,7 +1730,15 @@ XML_GetBuffer(XML_Parser parser, int len)

         bufferSize = INIT_BUFFER_SIZE;
       do {
         bufferSize *= 2;
       } while (bufferSize < neededSize);
 /* BEGIN MOZILLA CHANGE (prevent infinite loop on overflow) */
       } while (bufferSize < neededSize && bufferSize > 0);
 /* END MOZILLA CHANGE */
 /* BEGIN MOZILLA CHANGE (sanity check bufferSize) */
       if (bufferSize <= 0) {
         errorCode = XML_ERROR_NO_MEMORY;
         return NULL;
       }
 /* END MOZILLA CHANGE */
       newBuf = (char *)MALLOC(bufferSize);
       if (newBuf == 0) {
         errorCode = XML_ERROR_NO_MEMORY;